Q&A: 1Password

Data from over 200 Pen Tests Shows Most Common Vulnerabilities. Learn more now.

Carl Slawinski is the Chief Evangelist for Agile Web Solutions, the company behind 1Password, a hugely popular Mac software title. In this interview he takes us down memory lane and talks about how the idea for 1Password was born, he introduces some of the features that are coming in version 3.0 later this year, and also offers advice for Mac software developers.

1Password is the de facto choice for password safekeeping on the Mac. Can you give us some background on the project? How did you get from the raw idea to a product with a massive user base and a myriad of awards?
I am sure that a lot of us have heard that great software starts out as something that developers write for themselves as opposed to something created to be a product. This is certainly true in the case of 1Password. Roustem and Dave (the founders of Agile Web Solutions) like myself were previously Windows users and came to the Mac only in the last few years. So basically we were switchers who arrived on the Mac platform looking for Mac equivalents of software we used on Windows. The thing all of us had in common was that we were not able to find a password manager integrated into our browser on the Mac. In my case, this was the only software I did not find a Mac equivalent for and continued to search.

Roustem and Dave took matters into their own hands and decided to write their own since they both had a long history of application development in the corporate world. In early 2006 Roustem and Dave started investigating whether it was even possible to do an application of this nature on the Mac. Luckily they found that it was possible, had a beta released in May, and released 1Passwd version 1.0 on June 18th, 2006. Note the spelling of the name without the “or” in 1Password.

The original name was always intended to be 1Password and not 1Passwd but when Roustem went to purchase 1Password.com he discovered it was already taken. Since 1Password was an unproven application at that time, it was decided to change the name to the unix flavor spelling and thus it became 1Passwd. This decision tells a little more about 1Password as well.

Unlike some companies who look for seed capital or investment from the outside, Roustem and Dave decided that 1Password would have to support itself to survive. I think this is a contributing factor as to why it has been so successful as a product. We’ve always let 1Password stand on its own merits and interacted with users of 1Password on a close level. Ultimately, it is the users of 1Password that have made it so popular. We’ve always said that if we could just get people to try 1Password then we know they would love it. Therefore, we’ve spent almost no money on advertising and rely heavily on referrals from existing users. We have also done some promotions that other developers might label as plain crazy. In October of 2007, we were able to buy out the owner of 1Password.com and thus we changed the named to the current and originally desired name: 1Password.

1Password comes with integrated anti-phishing protection. How does it work?
1Password excels at handling web password because of the browser integration. This is real power of 1Password in my opinion. There are a lot of applications that can store passwords in a “vault” and lock them away for safe keeping. You could even use a password protected document or spreadsheet to track them all. The problem with those approaches though has always been the inconvenience of getting your usernames and passwords where you need then and *only* where they belong. Today that place is normally in the browser. The browser integration of 1Password means that when you type a username and password on a web page 1Password offers to save it for you and also records the full URL at which it is being saved. This is key to helping with phishing attacks.

Phishing schemes rely on confusing the user by presenting a page that looks like a legitimate page but is in fact a bogus copy of the original page. Since 1Password knows where the username and password combination belong, it does not restore them on these bogus sites. For example, if you have your eBay login saved then 1Password knows that ebay.com is the domain for that login. If you try to force it to fill at some bogus site like IP Address/ebay/login as is popular with phishing e-mail URLs, it will not fill it.

I remember a 1Password user who wrote in one time and he expressed that originally he wanted to me mad at us because he was experiencing frustration with 1Password not filling in his credentials on a site. He told us that he had tried multiple times and eventually went to go and copy and paste the credentials manually when he took pause and decided to look a bit closer at the URL of the site. It was then that he noticed that he had become very close to being phished and as he put it “1Password was saving him from himself”. So he wrote in to thank us for being adamant about not letting 1Password fill information where it does not belong.

What are the most requested features and fixes for 1Password?The core functionality of 1Password is saving and restoring usernames and passwords for web sites. However, it has evolved into a lot more over time. Most of this is a result of user feedback. Early on (back in the 1Passwd days) web logins were the only thing stored in 1Password. People liked 1Password so much for this purpose that they decided that they would like to store other types of information in 1Password as well. So secure notes were born which allowed people to have a free form and unformatted area to store all sorts of things. This is where I stored all my software registration codes and other sensitive information that was not related to the web.

Eventually people wanted a more structured format for some of this type of data and the wallet feature was developed. We added a few default wallet types to cover the main cases. However, expansion of this feature has become the most requested feature. People want the ability to have custom fields and types and this will be coming soon. When we first added the wallet feature we thought it was kind of a minor feature and we were not prepared for the massive amount of acceptance and push for expansion of it. Today I think people look at 1Password as more of an information manager as opposed to just a web password manager and while this was not our original intention we’ve embraced the desires of 1Password users have have given 1Password a broader scope over time. In regards to fixes, we release updates a lot. A small number of people complain that we release updates too often. However, when we fix any kind of bug that affects 1Password in any kind of significant way, we want to get it out there to people. We do not want there to be unresolved pain points for 1Password users even if it is something relatively minor. Small things get fixed fast and frequently and are pushed out in updates.

At the current time though, the number one requested fix would be that of form filling. 1Password allows you to create identities which contain information such as your name, address, phone number, etc. When surfing the web you are often faced with forms to fill out to register for sites, get information sent to you, enter contests, or make purchases in online stores. 1Password can use the information from identities you have saved to fill these forms. However, there are a lot of ways for a web designer to create a web form and the variances and lack of standards in this area results in forms that range from fairly standard to way out there. Moreover, there are randomization of field names and other designs that trip 1Password’s form filling up frequently. We have some great ideas for the next generation form filler in 1Password but it requires an almost total overhaul of what is in the code now. This is our most requested area of improvement in 1Password and is something we will be addressing soon after the 3.0 release.

You are gearing up for the 3.0 release of 1Password later this year. What can we expect?
We started working on 3.0 a little over a year ago. The first thing that was decided was that we wanted 3.0 to have a new look in the main application. In the early stages of 3.0 what was happening is that we continued to improve 2.0 but under the covers we were redesigning the user interface. We did this by creating a hidden preference that switched the application from the 2.x user interface to the 3.0 interface. Toggling this option allowed us to switch back and forth. Eventually the new features started being added and were also hidden in the 2.x releases.

It was only until a few months ago that the 3.x code was completely split from the 2.x code. We actually wanted to have 3.0 released well before the Snow Leopard release so that most people would be on 3.0 when it arrived. Unfortunately, many delays resulted in Snow Leopard being released before 1Password 3.0. This explains why 3.0 has native 64-bit support while 2.0 remains in 32-bit. While we’ve recently blogged about the new stuff in 3.0 we still have features that haven’t really been announced that we want to get into 3.0. One of these is file attachments to items in 1Password. We are really hoping this is going to make the official 3.0 release as a lot of people have asked for this. We also understand that syncing is very important to people and we also plan to get something really nice added in that regard. It is still in development but appears to be coming along nicely. So hopefully we will have a nice surprise for people in that area as well.

Nearly every time a piece of software 1Password works with is updated, you have to release a new version of the software in order to retain functionality. How difficult is it to keep the pace with all the new releases? Is support working overtime when a new version of Safari comes out?
We are fairly conservative with how 1Password loads into the browsers even though some have criticized us for not being more conservative. We do version checking and do not load 1Password in a browser if we have not tested with it in most cases. However, this is not always the case. Eventually a browser release comes out that does cause 1Password not to load the 1Password code. Sometimes the fix only requires us updating the version numbers but in some cases we have to do some code changes to restore the functionality. We try to support a lot of Mac browsers because we do not want people to feel that they are tied to a particular browser because of 1Password. I can tell you though that when a new browser is released and 1Password is not present there, we get a LOT of e-mail.

Generally, developers and everyone else have to stop all activities and go into full e-mail response mode. In almost every case of a browser update that went beyond our versioning, we’ve restored 1Password support the same day. I think the longest period was 20 hours on a particular browser release. After the update, we blog about it, post to the forums, add comments to the software update sites, and generally spread the word wherever we can. However, we still get a lot of people writing in saying that they updated XYZ browser and their 1Password icon is gone. We could be more relaxed on the version checking but ultimately we believe we handle it fairly well with the current approach. Any time you are integrating into or with another application there is a chance that an update will requires changes. The same can be said for applications that do things with iTunes, iPhoto, Mail, etc. It is just part of the business.

What advice would you give to upcoming developers that wish to work on software for the Mac OS X platform?
First, do not quit your day job. We currently have nine people working full time at Agile Web Solutions as well as one part-timer. We also have raving fans and volunteers who help us with forum moderation and spam fighting. However, we started small and only grew as the product revenue permitted. Roustem and Dave were the founders and shortly after they quit their day jobs I was brought onboard and was able to quit my corporate job. We have since grown slowly one person at a time as the workload and revenue increased. In that sense, we are an old-fashioned company.

Unlike some of the dot.com era companies that got the users first and then tried to figure out how to monetize the product later only to find that people were not buying, 1Password has and continues to pay for itself. We feel fortunate that so many people have embraced 1Password and have allowed us to pursue our passion for creating the best password manager on the Mac. Next, I would say to upcoming developers that they should get something released soon. The world is full of unreleased 1.0 versions because developers try to make it perfect before release. We are perfectionists too but as Steve Jobs is famous for saying: “real artists ship”. You have to ship your product. Ultimately, the users are going to tell you what they like and do not like and what your 1.1 release needs to look like. Finally, be honest with your users. If something is broke then admit is is broke, apologize, and work on getting it fixed as soon as possible. Always strive to under-promise and over-deliver. Treat your users how you want to be treated and be personable. People appreciate that even if they do not like or agree with the answer. They will respect you and your product more.

The Mac security software landscape is getting more diverse every year with clever products seeing the light of day quite often. What security tools do you use and would recommend to our readers?
You might be surprised to learn that we are not all security junkies who have tons of security applications loaded on our hard drives. Some of the security tools though would be applications like Knox and TrueCrypt. While we like firewalls and applications like Little Snitch, we do not use anti-virus software on our Macs.

Security is also about a lot more than software. We have promoted the use of strong passwords for a very long time and 1Password is the tool to help you manage those. But, security is not a program that you install. In addition to using strong passwords we also recommend using the tools that are already on the Mac. This includes setting up and using account passwords, configuring screen savers to require a password when returning, and not making things generally easy to compromise. Physical security is also very important. This is particularly true with mobile devices and laptops. People need to keep their hands and eyes on these devices and treat them like the wallet in their pocket. Most people wouldn’t leave their wallet with the driver’s license and credit cards laying out on a table in a public place. It only takes a few seconds of inattention for a laptop to be taken.

Back to software though, we are all fairly crazy about productivity enhancers and utilities. After 1Password, TextExpander would be my second favorite. There is just so much utility in being able to expand snippets that can include plain text, formatted text, or pictures. I also use it for creating short URLs on the fly. Dropbox is also something we all use and love especially since you can use it to sync your 1Password data across Macs. I’m a screenshot utility junkie as well and have bought just about all of them. However, LittleSnapper is my current favorite as it includes iPhoto-like image organization of your snaps. Time Machine is great but not having a fully bootale backup of your hard drive is just scary. SuperDuper takes that worry off my plate and I highly recommend it. Launchbar is another great utility. I mainly use it for application launching but it has so much more power. I’ve also bought several FTP clients but use Fetch because I just love that dog running across the window. Finally, some hidden gems that I use that may not make a lot of top ten list are Hazel, Mousepose, Speed Download, ImageWell, SteerMouse, and BetterZip. Generally, we love Mac software and all of us buy quite a bit.